On Wed, 2007-09-26 at 01:24 +0200, Tomas Winkler wrote: > EAPOL frames should not be filtered out. Everything else should be filtered out > except EAPOL frames till the port is open. Right now though, when we're an AP, we're sending EAPOL frames to the mgmt interface instead of the regular 802.3 interface. This quite sucks wrt. deagg. But it's also very weird, look at ieee80211_rx_h_802_1x_pae. It sends * eapol frames for non-STA interfaces that are for us -> mgmt iface * non-eapol frames from unauthorized STAs -> bitbucket * everything else -> the regular 802.3 interface Right afterwards, unencrypted non-EAPOL frames are dropped. So any STA can actually send EAPOL frames with an arbitrary destination MAC address except our own into our 802.3 interface. Hence, it looks like the first case above is only for having eapol on mgmt iface. The only problem I see with not doing this is that hostapd will have to listen for EAPOL frames on all VLAN interfaces but I suppose that is doable. > The problem is the order of the handlers. First you need to > deaggregated the frame then filtered out non EAPLOL frames if the port > is not open. Yeah, I know, I had a plan a while back, will see if I can implement it. johannes
Attachment:
signature.asc
Description: This is a digitally signed message part
